keycloak icon indicating copy to clipboard operation
keycloak copied to clipboard
verified publisher icon keycloak

CVE-2022-31197 - SQL Injection vulnerability in org.postgresql:postgresql

Open abstractj opened this issue 3 years ago • 1 comments

Overview

org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.

Affected versions of this package are vulnerable to SQL Injection via the java.sql.ResultRow.refreshRow() function in jdbc/PgResultSet.java, due to insufficient escaping column names. An attacker with control of the underlying database can name a column with a string containing a semicolon or other statement terminator, then convince a user to run a query against the table with the compromised column, and then have the application run ResultSet.refreshRow(), to execute code.

NOTE:

  • An application that only connects to its own database with a fixed schema with no DDL permissions is not affected by this vulnerability.
  • Additionally, applications that do not invoke ResultSet.refreshRow() are not affected.

Remediation

Upgrade org.postgresql:postgresql to version 42.2.26, 42.4.1 or higher.

References

abstractj avatar Aug 11 '22 19:08 abstractj

In order to update the postgresql dependency, we depend on https://github.com/keycloak/keycloak/issues/12210

abstractj avatar Aug 11 '22 20:08 abstractj

@abstractj wasn't this solved by https://github.com/keycloak/keycloak/pull/14006

?

trixpan avatar Sep 13 '22 01:09 trixpan

@trixpan that's correct, and thanks for bringing this to our attention.

abstractj avatar Oct 19 '22 17:10 abstractj

Hello @abstractj and @trixpan, Could you please confirm in which version of Keycloak this issue was fixed?

mikemicky4321 avatar Oct 31 '22 08:10 mikemicky4321

@mikemicky4321 Keycloak 20, please see the milestone.

abstractj avatar Oct 31 '22 12:10 abstractj